I've been using Burp Intruder (part of Burp suite), but in the free edition of Burp Suite the Intruder functionality is Time-throttled. As a student pen tester however, I can't justify the cost of $300 a year for the Burp Suite Professional Edition.

I know there are other great intercepting proxies out there (OWASP ZAP), but I'm after something specifically that simulates the burp intruder corefunctionality, mainly the login validation checks via either 'pitchfork' methods.

It doesn't need to be integrated as part of a intercepting proxy suite, a standalone tool is fine also. It must be free or very low cost.

5 Answers
5

There are a lot of free tools out there. You may not find a free tool with the exact same functionality as Burp, but you could use several tools to compensate for the limitations of Burp's free version.

use Owasp ZAP or Webscarab for their proxy functionality.

use Nikto and W3AF to scan web applications.

use SQLMap to exploit SQL injections vulnerabilities.

use XSSer to detect and exploit XSS vulnerabilities.

use Powefuzzer to fuzz parameters

use online encoder/decoders

use DirBuster to find hidden resources

All the tools mentioned above and several others are by default installed in recent Backtrack releases.

If you are looking for a tool that is closest in functionality with the Intruder, then I think that Wfuz with it's WebSlayer GUI is the one to try.

Thank you for your response. While I appreciate the list of alternate tools for other functions of the burp suite, unfortunately it doesn't address as far as I can see the core function being asked about; intruder.
–
PeleusFeb 27 '13 at 18:53

I don't know if you are aware of owasp live cd here is the link as well (http://appseclive.org/content/downloads) It has an excellent list of open-source proxies. Some of the tools are given in the list here.

It may sound like a marketing trick. however, to be honest nothing has come up in market that can match burp. Burp actually addresses shortcomings of all other major HTTP proxies in the past. Be it be web scarab, paros or others.
However you can try charles proxy or keep using free edition with fuzz db (download from google code) and may be fiddler too.

Only for intruder capabilities, you can always use https://code.google.com/p/fuzzdb
files rotated against certain parameters with a shell/python script. Not only it will help you grasp better idea of manual pen testing, but also proficient in scripting languages at same time. Once you start doing this it's not a big job.
Otherwise there are loads of usual scanners you can point and click.